My Health Records Amendment (Strengthening Privacy) Bill 2018

My Health Records Amendment (Strengthening Privacy) Bill 2018

My Health Records Amendment (Strengthening Privacy) Bill 2018

ISSN 1328-8091 Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. BILLS DIGEST NO. 30, 2018–19 16 OCTOBER 2018 My Health Records Amendment (Strengthening Privacy) Bill 2018 Owen Griffiths Law and Bills Digest Section Contents Purpose of the Bill . 3 Structure of the Bill . 3 Background . 3 From opt-in to opt-out . 3 Authorisation for the use, collection and disclosure . 5 Concerns regarding disclosures for law enforcement purposes . 6 Government response . 9 Committee consideration .

10 Senate Community Affairs References Committee .. 10 Senate Community Affairs Legislation Committee... 11 Senate Standing Committee for the Scrutiny of Bills . 11 Policy position of non-government parties/independents . 11 Australian Labor Party (Labor . 11 Australian Greens . 12 Centre Alliance . 12 Australian Conservatives . 12 Senator Tim Storer . 13 Position of major interest groups . 13 Financial implications . 15 Statement of Compatibility with Human Rights . 15 Parliamentary Joint Committee on Human Rights ... 15 Date introduced: 22 August 2018 House: House of Representatives Portfolio: Health Commencement: The day after the Act receives Royal Assent.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website. When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website. All hyperlinks in this Bills Digest are correct as at October 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 2 Key issues and provisions .

15 Destruction of records . 15 Collection, use and disclosure . 16 Disclosure orders . 18 What agencies can information be disclosed to? —‘Designated entities . 18 Grounds for granting access . 19 Threshold for disclosure to designated entities... 20 Judicial officers . 21 Personal capacity and immunity . 21 Disclosure in relation to unlawful activities . 22 Other provisions . 23 Concluding comments . 23

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 3 Purpose of the Bill The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) will amend the My Health Records Act 2012 (MHR Act) to:
remove the authority of the System Operator (the Australian Digital Health Agency or ADHA) to disclose the health information in a My Health Record to enforcement agencies or other government bodies without a judicial order or the healthcare recipient’s consent (making it consistent with the ADHA’s policy position) and
require the System Operator to destroy the health information in a healthcare recipient’s My Health Record if they cancel their registration.1 The Bill will also:
provide the process for orders of disclosure of My Health Record health information to be made by judicial officers to designated entities and
provide for the collection, use and disclosure of health information under the specific legislation, namely the MHR Act and the legislation associated with Auditor-General, the Commonwealth Ombudsman and the Australian Information Commissioner.2 Structure of the Bill The Bill contains one schedule which includes the amendments to the MHR Act and provides for the application of the amendments.

Background From opt-in to opt-out In 2012, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) was passed to enable the establishment and operation of the Personally Controlled Electronic Health Record (PCEHR) system. The objective of the PCEHR system was to facilitate access to health information relating to consumers of healthcare.3 It created an electronic health record system for regulating the collection, recording, use and disclosure of the health information of healthcare ‘consumers’.4 The PCEHR system was a voluntary, or opt-in, system. Eligible consumers could apply to the System Operator to be registered in the PCEHR system.5 The PCEHR Act included a range of privacy and access safeguards for the PCEHR system, but also provided for the System Operator to use or disclose the health information included in a consumer’s record in some circumstances.

These circumstances included if the System Operator reasonably believed the disclosure was reasonably necessary for certain things done by, or on behalf of, an enforcement body.6 1. G Hunt, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of Representatives, Debates, (proof), 22 August 2018, p. 7. Under section 14 of the PCEHR Act, the System Operator was originally the Secretary of the Department of Health (unless the Regulations prescribe another body). In 2016, the Australian Digital Health Agency was established and prescribed as the System Operator (see below).

2. Explanatory Memorandum, My Health Records Amendment (Strengthening Privacy) Bill 2018, pp. 9–11. 3. PCEHR Act, section 3. 4. Under section 5 of the PCEHR Act a ‘consumer’ was defined as ‘an individual who has received, receives or may receive healthcare’. 5. PCEHR Act, sections 39 and 40. However, the ‘authorised representative’ (section 6) or ‘nominated representative’ (section 7) of a consumer could also register a consumer with the PCEHR system.

6. PCEHR Act, subsection 70(1).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document.

The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 4 In November 2013, a review of the PCEHR system, led by the head of Uniting Care Health Queensland Richard Royle, was announced.7 The Review of the Personally Controlled Electronic Health Record was released in May 2014.8 It found there was ‘overwhelming support’ for the implementation of an electronic health record system, but stated that a ‘change in approach’ was needed to correct implementation issues and ‘to review the strategy and role that a shared electronic health record plays in a broader system of health care’.9 The recommendations of the review included that the PCEHR system should be renamed My Health Record and that the system should be transitioned to an opt-out model by 1 January 2015.10 In 2015, the Health Legislation Amendment (eHealth) Act 2015 was passed.

This legislation renamed the PCEHR Act to the MHR Act and renamed ‘consumers’ in the legislation as ‘healthcare recipients’. It also amended the MHR Act to allow the Minister to provide that an opt-out model be applied to all healthcare recipients through changes to the My Health Record Rules. In 2016, the Australian Digital Health Agency (ADHA) was established.11 Section 14 of the MHR Act provides that the System Operator is the Secretary of the Department of Health or a body established by a Commonwealth law that is prescribed under the Regulations. Prior to 1 July 2016, the System Operator was the Secretary of the Department of Health.

An amendment to the My Health Records Regulation 2012 prescribed the ADHA to be the System Operator on 1 July 2016.12 On 30 November 2017, the Minister made the My Health Records (National Application) Rules 2017 which applied an opt-out model of registration to My Health Record and specified the period in which healthcare recipients could opt-out. The initial period in which healthcare recipients could choose to opt-out of the My Health Record system was 16 July 2018 to 15 October 2018. This was later extended to 15 November 2018 (see below).

As part of the 2017–18 Budget, the Department of Health stated: A transition to opt-out participation for My Health Record will bring forward benefits many years sooner than the current opt in arrangements. Opt-out is the fastest way to realise the significant health and economic benefits of My Health Record for all Australians including through avoided hospital admissions, fewer adverse drug events, reduced duplication of tests, better coordination of care for people seeing multiple healthcare providers, and better informed treatment decisions. Opt-out participation is supported by an independent evaluation of two opt-out [trials] undertaken in Northern Queensland and Nepean Blue Mountains Primary Health Network areas.

The evaluation showed a high level of support for automatic creation of My Health Records by both healthcare providers and individuals. Across the two opt-out trial areas, the opt-out rate was just 1.9 per cent... 13 7. P Dutton (Minister for Health), Federal Government to review electronic health records, media release, 3 November 2013. 8. P Dutton (Minister for Health), Report into the Personally Controlled Electronic Health Record, media release, 19 May 2014. 9. R Royle, Review of the Personally Controlled Electronic Health Record, [Department of Health], [Canberra], December 2013, p. 13.

10. Ibid., p. 16. 11. Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016. 12. My Health Records Amendment (System Operator) Regulation 2016. 13. Department of Health (DoH), Budget 2017–18: My Health Record – continuation and expansion, Fact sheet, DoH, Canberra, 9 May 2017.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 5 Authorisation for the use, collection and disclosure The MHR Act establishes a complex regulatory framework for the use, collection and disclosure of the health information included in a healthcare recipient’s My Health Record.

A person or organisation can only collect, use or disclose the health information in a healthcare recipient’s My Health Record if they are authorised to do so by the MHR Act. For example, healthcare recipients themselves are authorised to collect, use and disclose, for any purpose, the health information included in their own My Health Record.14 Participants in the My Health Record system, such as registered healthcare providers, have a range of authorisations to collect, use or disclose the health information in a healthcare recipient’s My Health Record.15 These include, for example, collection, use and disclosure of health information for the purpose of providing healthcare to the registered healthcare recipient (in accordance with the access controls set by the healthcare recipient).16 Additionally, under the MHR Act the System Operator (the ADHA) has a number of authorisations to disclose or use the health information contained in a My Health Record in certain circumstances.

These include to:
disclose information if ordered to do so by a court or tribunal if the proceedings relate to the MHR Act, unauthorised access to information in the My Health Record system or healthcare provider indemnity cover, or with the consent of the consumer (subsections 69(1) and (4)) and
disclose information if ordered or directed by a coroner (subsection 69(2)). In particular, section 70 is titled Disclosure for law enforcement purposes, etc. Subsection 70(1) provides that the System Operator is authorised ‘to use or disclose’ the health information included in a healthcare recipient’s My Health Record if the System Operator ‘reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body’.

These are:
the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law
the enforcement of laws relating to the confiscation of the proceeds of crime
the protection of the public revenue
the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct and
the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Subsection 70(2) clarifies that as far as subsection 70(1) relates to the last point regarding the proceedings or orders of courts and tribunals, it is subject to section 69 which (as noted above) provides for these disclosures. Subsection 70(3) provides for the use or disclose of My Health Record health information if the System Operator ‘has reason to suspect unlawful activity’ which relates to the System Operator’s 14. MHR Act, section 67. 15. A participant in the My Health Record system is defined in the MHR Act as meaning: the System Operator, a registered healthcare provider organisation, the operator of the National Repositories Service, a registered repository operator, a registered portal operator and a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider (section 5 of the MHR Act).

16. MHR Act, section 61.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 6 functions and ‘reasonably believes’ use or disclosure is necessary ‘for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities’. The listed ‘enforcement purposes’ in subsection 70(1) which provide for when the System Operator may use or disclose My Health Record health information reflect, but do not replicate, the factors in Australian Privacy Principles (APP) 6.2(e) which restrict the use or disclosure of personal information by APP entities17 under the Privacy Act 1988 (Privacy Act).18 Provisions which permit the use and disclosure of information and/or documents for ‘enforcement’ reasons exist in a range of other Commonwealth legislation.19 Concerns regarding disclosures for law enforcement purposes The potential privacy risks associated with the development of a national electronic health record system have led a range of concerns being expressed, including in relation to access by law enforcement agencies to the stored health information.

For example, in 2011, the Privacy Impact Assessment regarding the proposed PCEHR system undertaken by Minter Ellison Lawyers for the Department of Health and Ageing noted that the system would be ‘an attractive source of data’ for several groups including law enforcement agencies. It stated: The extent to which the PCEHR is seen as a 'honeypot' of data for insurance companies and law enforcement agencies may impact on the degree of confidence placed in the PCEHR system by consumers.

20 Trials of the opt-out My Health Record model were conducted in 2016. The key finding of the evaluation report feedback regarding the confidentiality and security of the My Health Record system was positive: Once the benefits of the My Health Record system were clear, nearly all focus group participants said that their concerns about security and privacy, or about the fact that a My Health Record had been created, disappeared. They most often said that, while they thought that no computer-based systems were totally safe, on balance they thought that the benefits to them, their families and the health system far outweighed those risks...

21 There were also indications that law enforcement access to the health information in the My Health Record system could raise concerns. The evaluation report included: Concerns about confidentiality and security were expressed more often in the focus group in Mapoon... Questions and concerns were also raised by this group regarding law enforcement agencies having access to the My Health Record system. After clarifying that, as a personally-controlled record, they could set their own privacy settings and also access alerts and logs that detailed which healthcare 17. Under the Privacy Act, an APP entity is an organisation or agency obliged to comply with the Australian Privacy Principles (APP) (see sections 6, 6C and 15).

18. While under subsection 70(1) of the MHR Act the use or disclosure of health information can be for ‘one or more of the following things done by, or on behalf of, an enforcement body’, under APP 6.2(e) the use or disclosure of personal information can be for ‘for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’. The meanings in the definition of enforcement related activities in the Privacy Act differs from the ‘things done by’ an enforcement body in subsection 70(1) MHR Act. In the Privacy Act, enforcement related activities also includes ‘the conduct of surveillance activities, intelligence gathering activities or monitoring activities’, ‘the conduct of protective or custodial activities’ and extends to ‘the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations’.

19. See, for example: section 504, Fair Work Act 2009; section 149, Work Health and Safety Act 2011; paragraph 86-3(1)(h), Aged Care Act 1997; subsection 90K(5), Australian Postal Corporation Act 1989; section 38, Dental Benefits Act 2008; section 111, Australian Jobs Act 2013; section 55, Clean Energy Regulator Act 2011; section 21, Student Identifiers Act 2014. 20. Minter Ellison Lawyers, Privacy impact assessment report: Personally Controlled Electronic Health Record (PCEHR), report prepared for the Department of Health and Ageing, 15 November 2011, p. 85.

21. Siggins Miller [a firm], Evaluation of the participation trials for the My Health Record, Final report, [Sydney], November 2016, p.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 7 providers had recently accessed the My Health Record, half the participants were satisfied with the level of security and ability of the My Health Record to keep their information confidential, while the other half remained sceptical [sic]. 22 In 2016, legal academics, Danuta Medelson and Gabrielle Wolf analysed the My Health Record system and the MHR Act in the context of the change to the opt-out model.

They stated: Not only has the system failed to fulfil its statutory objectives, but it permits the wide dissemination of information that historically has been confined to the therapeutic relationship between patient and health practitioner. After considering several other purposes for which the system is apparently designed, and who stands to benefit from it, we conclude that the government risks losing the trust of Australians in its electronic health care policies unless it reveals all of its objectives and obtains patients' consent to the use and disclosure of their information.

23 They noted: Circumstances and purposes articulated in the statute include provision of information captured by the My Health Record system to courts and tribunals, as well as use of this information for law enforcement purposes. Although other uses of this information and their scope are yet to be explicitly revealed, it is clear that information previously considered to be within the private domain of individuals and under the control of their chosen health providers is being reconceptualised as shared data about individuals, to be collected, distributed and managed by government and private entities.

24 On 7 June 2018, Leanne Wells, the Chief Executive Officer of the Consumers Health Forum of Australia, published an article considering the pros and cons of the My Health Record system, including potential access to health information by law enforcement and government agencies. She stated: The Government and/or ADHA needs to be transparent with the public about the policies and procedures they have in place around access to My Health Record information by law enforcement and other government agencies, and consider whether changes to guidelines or legislation are needed. 25 The My Health Record opt-out period commenced on 16 July 2018.26 This event prompted public discussion regarding the merits of the My Health Record system for healthcare recipients.27 Part of this public debate focused on the provision in the MHR Act for disclosure by the System Operator for law enforcement purposes.28 On 16 July 2018, the ABC published an article with Tim Kelsey, the head of the ADHA, concerning My Health Record which included questions in relation to the rules and policies which guide the ADHA's decision to grant access to law enforcement.29 It stated: Which rules and policies guide the ADHA's decision to grant access to law enforcement? The ADHA is authorised by law to disclose someone's health information if it "reasonably believes" it's necessary for preventing or investigating crimes and protecting the public revenue, among other things specified under section 70 of the My Health Records Act.

22. Ibid., p. 88. 23. D Mendelson and G Wolf, ‘My [electronic] health record - cui bono (for whose benefit)?’, Journal of Law and Medicine, 24(2), 2016, p. 283. 24. Ibid., p. 286 (emphasis in original). 25. L Wells, ‘An important overview of the pros, cons and questions about My Health Record’, Croakey, 7 June 2018. 26. ADHA, My Health Record – Australians to decide on a smarter and safer way to share their important healthcare information, media release, 16 July 2018. 27. For example, D Vaile, B Arnold, K Kemp, ‘My Health Record: the case for opting out’, The Conversation, 16 July 2018. 28.

For example, B Grubb, ‘The digital health record is a bad idea. I'm opting out, and you should too’, The Age, 17 July 2018. 29. A Bogle, ‘My Health Record: your questions answered on cybersecurity, police and privacy’, ABC News, 15 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 8 The agency was unable to provide a definition of "protecting the public revenue" by deadline. When it receives a law enforcement request, the ADHA will need to determine that it's a legitimate request from an enforcement body. "While the Agency assesses each formal request on a case by case basis, our operating policy is to release information only where the request is subject to judicial oversight," the ADHA said.

If the access does not support public confidence and trust in the System and the object of the My Health Record Act then the Agency will deny the request." Law enforcement bodies will not be granted direct access to the My Health Record: The ADHA said any disclosure would be limited to what is necessary to satisfy the purpose of the request. Has the ADHA received any requests from law enforcement to access records? Mr Kelsey said no police requests have been received yet. Will users be informed if their data has been released to law enforcement? If personal information is disclosed to law enforcement, the decision about whether to notify the My Health Record holder will be decided "case-by-case".

Likewise, healthcare provider organisations won't be informed if their patient's data is accessed. The release to police will be recorded in a written note and stored by the ADHA. 30 On 21 July 2018, the ADHA issued a fact sheet on police access to My Health Record which noted that it had received ‘a few enquiries regarding other government departments and law enforcement accessing My Health Record’. It stated: The Australia Digital Health Agency has not and will not release any documents without a court/coronial or similar order.

No documents have been released in the last six years and none will be released in the future without a court order/coronial or similar order.

Additionally, no other Government agencies have direct access to the My Health Record system, other than the system operator. 31 However, during this period, concerns regarding the potential for disclosures under section 70 continued to be expressed.32 For example, on 22 July 2018 the former Australian Medical Association (AMA) president Professor Kerryn Phelps was reported as saying that allowing police access to My Health Record information would undermine trust in the medical profession and the health system. She asked: If someone has a cocaine problem, will they want to tell their doctor and seek help if they think it has any possibility of being uploaded to a site that can be accessed by police? 33 Anna Johnston, a privacy consultant with Salinger Privacy, stated: 30.

Ibid.

31. Australian Digital Health Agency (ADHA), Fact sheet: police access to My Health Record, ADHA, 21 July 2018. 32. For example, B Keane, ‘Soon there may be no escape from government and corporate surveillance’, Crikey, 23 July 2018. 33. S Dunlevy, ‘Health record at risk of hacking’, The Sunday Telegraph, 22 July 2018, p. 15.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 9 While any policy by ADHA to limit the exercise of its powers under the legislation is welcome, the fact remains that the legislation governing the My Health Record does give the operator of the system very wide discretion to release health information about individuals to a wide range of enforcement bodies, which is not just law enforcement agencies like police but also includes the Immigration Department for example...

The law allows disclosure not only in response to a court order or warrant, but also under a 'reasonable belief' test relating to matters beyond just criminal law offences.

34 On 23 July 2018, an entry concerning ‘Law enforcement access to My Health Record data’ was published on the Parliamentary Library’s FlagPost, a blog on current issues of interest to members of the Australian Parliament.35 This entry also noted that, while it was the policy of the ADHA in relation to law enforcement to only release information where requests are subject to judicial oversight, ‘it does not appear that the ADHA’s operating policy is supported by any rule or regulation’.36 In light of the public discussion regarding the privacy and security of patient health information key medical professional organisations clarified their views on the My Health Record system.37 The President-elect of the Royal Australian College of General Practitioners (RACGP) spoke with the Minister for Health, Greg Hunt, to discuss ‘strengthening the legislation’s privacy provisions’.38 On 25 July 2018, the AMA President Dr Tony Bartone called for the Government to provide guarantees about the long-term security of the privacy of the My Health Record system which could involve ‘examining the legislation’.

He stated: [T]here had been a groundswell of concern from AMA members, the broader medical profession, and the public about the 2012 legislation framing the My Health Record, particularly Section 70, which deals with the disclosure of health information for law enforcement purposes.

39 Government response On 31 July 2018, the Minister for Heath, Greg Hunt announced strengthened privacy protections would be introduced for the My Health Record system: After constructive discussions with the AMA and RACGP, the Government will strengthen privacy provisions under the My Health Record Act, removing any doubt regarding Labor’s 2012 legislation. Labor’s 2012 My Health Record legislation will be strengthened to match the existing ADHA policy. This policy requires a court order to release any My Health Record information without consent. The amendment will ensure no record can be released to police or government agencies, for any purpose, without a court order.

34. Stilgherrian, ‘Tens of thousands opt out of My Health Record, but can Immigration and local councils view the rest?’, ZDnet, 17 July 2018. 35. N Brew, ‘Law enforcement access to My Health Record data’, FlagPost, Parliamentary Library blog, 26 July 2018. This entry was originally uploaded on 23 July 2018. 36. Ibid. Following feedback from the Department of Health, the FlagPost entry was briefly withdrawn and republished on 26 July 2018 with additional information. Correspondence between the Department of Health and the Parliamentary Library relating to this matter has been released under the Freedom of Information Act 1982 by the Department of Health.

These documents are available on the Department of Health’s website.

37. For example, B Grubb, ‘Peak GP body's alleged support for My Health Record called into question’, Crikey, 23 July 2018. 38. P Hayes, ‘Federal Government agrees to toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018. 39. Australian Medical Association (AMA), Guaranteeing security of the My Health Record, media release, 25 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 10 The Digital Health Agency’s policy is clear and categorical – no documents have been released in more than six years and no documents will be released without a court order.

This will be enshrined in legislation. This change to the My Health Record Act will therefore remove any ambiguity on this matter. In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system. The Government will also work with medical leaders on additional communications to the public about the benefits and purpose of the My Health Record, so they can make an informed choice. We will be looking to implement and introduce these changes as soon as possible.

40 The proposed privacy protections have been positively received by the AMA and the RACGP.41 At the Council of Australian Governments Health Council meeting on 2 August 2018 jurisdictions reaffirmed their support of a national opt-out approach to the My Health Record system. The meeting communique stated: Jurisdictions noted clinical advice about the benefits of My Health Record and expressed their strong support for My Health Record to support patient’s health. Ministers acknowledged some concerns in the community and noted actions proposed to provide community confidence, including strengthening privacy and security provisions of My Health Record.

42 On 10 August 2018, the Government confirmed it would extend the opt-out period for My Health Record for an extra month to 15 November 2018.43 Committee consideration Senate Community Affairs References Committee On 15 August 2018, the Senate Community Affairs References Committee (References Committee) was referred an inquiry into the My Health Record system for inquiry and report by 8 October 2018.44 The terms of reference of the inquiry contain a number of matters relevant to the amendments of the Bill, including ‘the arrangements for third party access by law enforcement, government agencies, researchers and commercial interests’ and ‘measures that are necessary to address community privacy concerns in the My Health Record system’.

On 12 October 2018, the References Committee sought and received an extension to the reporting date of the inquiry to 17 October 2018.

Further information regarding the inquiry, including the full terms of reference, is available on the inquiry homepage. 40. G Hunt (Minister for Health), Strengthening privacy protections for My Health Record, media release, 31 July 2018. 41. Australian Medical Association (AMA), Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 79], 14 September 2018, Attachment A, p. 2; P Hayes, ‘Federal Government agrees to toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018.

42. Council of Australian Governments Health Council, Communiqué, 2 August 2018, p.

5. 43. G Hunt (Minister for Health), My Health Record opt-out period extended, media release, 10 August 2018. 44. Australia, Senate, Journals, 108, 2017-18, 15 August 2018, pp. 3471-3472.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 11 Senate Community Affairs Legislation Committee On 23 August 2018, on the recommendation of the Senate Selection of Bills Committee, the Senate referred the provisions of the Bill to the Senate Community Affairs Legislation Committee (Legislation Committee) for inquiry and report by 8 October 2018.45 On 19 September 2018, the Senate granted an extension of time for reporting until 12 October 2018.46 Further information regarding the inquiry is available on inquiry page.

In particular, the inquiry page outlines the approach to the evidence received for the inquiry: The Community Affairs Committees have agreed to share relevant evidence in the My Health Record system inquiry and the inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018. Only matters related to provisions of the Bill will be considered in the Legislation Committee inquiry.

The Legislation Committee tabled its report into the provisions of the Bill on 12 October 2018. In relation to the amendments of the Bill, the committee’s report stated: The committee recognises the considerable expected benefits of the [My Health Record] system, and that healthcare recipients' confidence in the privacy provisions of the system is vital in ensuring the system's overall success. The committee commends the Bill's proposed amendments to sections 65, 69 and 70 to the MHR Act to strengthen the privacy provisions of the MHR system. 47 Additional comments were made by Labor senators who noted the broader concerns which had been raised with the My Health Record system and urged the Government to ‘heed Labor's call to suspend the opt-out rollout until all remaining concerns are addressed and public confidence in this important reform is restored’.48 Additional comments were also made by the Australian Greens senators who cautioned that the Bill ‘represent a minor improvement instead of the necessary solution’.

They noted two specific issues. The first was ‘unanswered questions’ regarding the potential access by law enforcement to backups and cache files. The second was their support for a proposal made by the University of Melbourne for a notification to the healthcare recipient if their information has been disclosed under the new process in the Bill.49 Senate Standing Committee for the Scrutiny of Bills The Senate Standing Committee for the Scrutiny of Bills had no comment on the Bill.50 Policy position of non-government parties/independents Australian Labor Party (Labor) Labor representatives do not appear to have commented on the specific provisions of the Bill.

While broadly supportive of an electronic health record system, Labor has expressed the view that the rollout of My Health Records should be suspended until privacy concerns with system are addressed.51 For example, on 15 August 2018, Ms Catherine King MP, the Shadow Minister for 45. Australia, Senate, Journals, 113, 2017-18, 23 August 2018, p. 3607. 46. Australia, Senate, Journals, 120, 2017-18, 19 September 2018, p. 3823. 47. Senate Community Affairs Legislation Committee, My Health Records Amendment (Strengthening Privacy) Bill 2018 [Provisions], 12 October 2018, p. 17.

48. Ibid., p. 21. 49. Ibid., p. 24. 50. Senate Standing Committee for the Scrutiny of Bills, Scrutiny digest, 10, 2018, 12 September 2018, p. 10. 51. H Belot, ‘My Health Record rollout should be suspended until potential flaws addressed, Bill Shorten says’, ABC News, 25 July 2018.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 12 Health and Medicare, released a media release in relation to the Senate Community Affairs References Committee inquiry into the My Health Record system.

It stated: We remain deeply concerned that the Government's bungled rollout of the My Health Record opt-out period has severely undermined public trust in this important reform... Labor has long supported an electronic health record system. We believe it has the capacity to revolutionise health care delivery, but we also recognise it needs a high degree of public support in order to be successful.

While the Government has agreed to a number of changes demanded by Labor and doctors' groups, including an extension of the opt-out period and a new public information campaign, more needs to be done... 52 While Labor did not oppose the passage of the Bill in the House of Representatives, it unsuccessfully sought to amend the motion passing the Bill to include ‘the House calls on the Government to suspend the “opt out” phase of the My Health Record rollout until other privacy and security concerns are addressed’.53 Australian Greens Prior to the introduction of the Bill, on 27 July 2018, the Australian Greens announced they would pursue a Private Senators Bill ‘to ensure that any access to my health record data by law enforcement would require a warrant’.

The Australian Greens leader, Senator Richard Di Natale stated that ‘[i]f you want to access someone’s medical records, you should have to have a warrant, simple as that’.54 Australian Greens representatives do not appear to have commented on the Bill. Centre Alliance Prior to the introduction of the Bill, on 25 July 2018, Centre Alliance Senator Rex Patrick was reported as stating ‘Centre Alliance will write to the health minister urging him to introduce legislation to ensure people’s health data is properly protected’.55 In her second reading speech in the House of Representatives, Centre Alliance’s Rebecca Sharkie MP, supported the Bill but noted that it was ‘qualified support’.

She outlined a number of broader privacy and security concerns with the My Health Record system and indicated that she remained open to amendments ‘following the release of the [Senate] committee report’.56 Australian Conservatives Prior to the introduction of the Bill, on 25 July 2018, Australian Conservative Senator Cory Bernardi was reported as stating that he was ‘open to all suggestions that will enhance individual privacy, the security of data, and to protect people from the intrusion of big government, whether that be from law enforcement or other government departments’.57 52. C King (Shadow Minister for Health and Medicare), Senate adopts Labor’s Plan for an inquiry into My Health Record, media release, 15 August 2018, p.

53. Australia, House of Representatives, Votes and proceedings, 139, 2017–18, 19 September 2018, pp. 1846–47. 54. R Di Natale, The Greens will move to enshrine warrant requirement in MyHealth: Di Natale, media release, 27 July 2018. 55. P Karp, ‘My Health Record: AMA says it will do “whatever it takes” to ensure privacy’, The Guardian, 25 July 2018. 56. R Sharkie, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of Representatives, Debates, (proof), 18 September 2018, p. 59.

57. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document.

The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 13 Senator Tim Storer Prior to the introduction of the Bill, on 3 August 2018, independent Senator Tim Storer indicated he would be opting out of the My Health Record system. His media release stated: My Health Record as currently legislated appears more of a law enforcement measure than a health care initiative. The changes that Health Minister Greg Hunt has announced do not address the faults in My Health Record’s design. I have serious concerns that the lack of protections for privacy and security for sensitive health information remain...

At the very least, My Health Record must be suspended, pending a full parliamentary enquiry with an emphasis on evidence from qualified cyber-security experts.

58 Position of major interest groups Persons and organisations with an interest in the My Health Record system have provided submissions and evidence to the Senate Community Affairs Committee inquiries into the Bill and the My Health Record system. While a range of concerns regarding the privacy and security of the My Health Record system have been raised, the amendments of the Bill were largely supported by the persons and organisations who contributed to the inquiries.59 For example, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, welcomed the changes: The community in general is seeking greater clarity as to how their personal information is collected and used, including by any third parties.

In relation to the My Health Record this is manifested, for example, in relation to concern as to access to the record by third parties such as law enforcement. In that regard, I welcome the government's decision to introduce the My Health Records Amendment (Strengthening Privacy) Bill to provide stronger safeguards regarding access to the record. I also welcome the bill's intention to allow the permanent deletion of My Health Record records on request. This is an important mitigation, which allows individuals to decide at a later date that they do not wish to have a My Health Record.

60 The Consumer Health Forum of Australia also commended the ‘government's response to concerns about release to law enforcement and other agencies without a warrant’: The community expects due diligence and vigilance by legislators and the system operator when it comes to privacy safeguards and accountability and transparency in those safeguards ... We advocated for those legislative changes to ensure that no My Health Record could be released to police for any purpose without a court order. We also support measures and steps to change the legislation to ensure that if any Australian wishes to cancel their record, they can do so permanently with the record deleted from the system.

61 The AMA considered that, if the Bill were passed, ‘the remaining circumstances where the legislation allow[s] disclosure strike an appropriate balance’ between protection of patient’s privacy and allowing access in appropriate circumstances. It noted: 58. T Storer, I am opting-out of My Health Record, media release, 3 August 2018, pp. 1–2. 59. For example, M Bailes (Law Council of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 17 September 2018, p. 26; Australian Association of Social Workers, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no.

49], September 2018, p. 3; Australian Human Rights Commission, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 11], 14 September 2018, p. 1; Australian Nursing and Midwifery Federation, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 25], pp. 7–8. 60. A Falk, Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 17 September 2018, p.

61. L Wells (Consumers Health Forum of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 17 September 2018, p. 6.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. My Health Records Amendment (Strengthening Privacy) Bill 2018 14 These controls are substantially tighter than the controls that apply under the Privacy Act 1988 (Cth) to patient data stored in the clinician’s own patient records.

They also impose greater restrictions on the government’s and courts’ powers to require production than apply to data held by the patient outside the My Health Record system.

62 In its submission, the ADHA reiterated that it has ‘have never received a request for information for law enforcement purposes and have not released any information for such purposes’ and noted that it has an operational policy that it would not release any documents without a court or similar order.63 The ADHA described the proposed amendments as acknowledging ‘the evolving expectations of the community since the legislation was first debated and approved in Parliament in 2012’. It stated that the ‘changes also reflect the strong and positive advocacy of the clinical and consumer peak bodies who have been central in advocating for these issues to be addressed in the legislation’.64 However, the Australian Privacy Foundation raised concerns with proposed amendments: - The claim that there is no additional cost.

This is only true if the real problem of deleting inactive records is not properly addressed... - The presumption that people will not want to delete individual documents from the health record - The reality that the government can change the legislation at any time in the future. - The reality that My Health Data will flow into other systems that have nothing like the safeguards built into My Health Records and where the prohibitions and authorisations of do not apply, as per Section 71 of the legislation... - The government treats itself as a special case, for which they have provided no justification.

The government needs to treat itself as a third party in the patient/health provider relationship. The proposed amendments seem to reinstate judicial review, but this has to be read in the context of the rest of the legislation. Just as we were reassured about third-party access provisions in the legislation, we need to look at what other hidden landmines there are. Only a full review of the legislation and all of its possible implications now and in the future will be acceptable. 65 The Women’s Legal Service NSW also noted that, while the amendments of the Bill provide for a mechanism to permanently delete records from the My Health Records system, ‘the deletion of records is a complex problem’.

It stated: The My Health Record database is designed for retention not deletion. Consequently, even if data is deleted from the database, there is a possibility that it may still be present in the backup ‘snapshots’. Some of these backups may be retained for extended periods and accessible to a small group of IT administrators. This radically weakens the effectiveness of the mechanism afforded in the legislation to delete health records, consequently putting private health information at risk of exposure. 66 62. AMA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, op.

cit., p. 2. 63. ADHA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, 14 September 2018, [Submission no. 31], p. 10.

64. Ibid. 65. Australian Privacy Foundation, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 1], 5 September 2018, p. 18. 66. Women’s Legal Service NSW, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 19], 14 September 2018, p. 3.